Misconfigured HMIs expose U.S. water systems to anyone with a Browser

A stray artifact in a TLS certificate led security researchers to an unnerving discovery: hundreds of control-room dashboards for US water utilities were sitting a click away from the public internet, and dozens of them offered full, no-password control over pumps, valves and chemical feeds.

The trail started last October, when the research team at Censys ran a routine scan of industrial-control hosts and noticed certificates with the word “SCADA” embedded. That label, short for Supervisory Control and Data Acquisition, is typically associated with monitoring systems in industrial control environments. Censys found the same certificate distinguished name (DN) across several instances of the uncommon browser-based HMI platform. 

Curious, the team fetched screenshots from each IP address and found themselves staring at live process graphics from water-treatment plants: tank levels drifting up and down, chlorine pumps cycling on and off, and alarms flashing in real time.

Read more at Security Week